b'                                              UNCLASSIFIED\n\n\n\n\n                   UNITED STATES DEPARTMENT OF STATE\n               AND THE BROADCASTING BOARD OF GOVERNORS\n                               OFFICE OF INSPECTOR GENERAL\n\n\nAUD-IT-IB-13-04                                  Office of Audits                                  November 2012\n\n\n\n\n      Audit of the Broadcasting Board of\n    Governors Information Security Program\n\n\n\n\nIMPORTANT NOTICE: This report is intended solely for the official use of the Department of State or the\nBroadcasting Board of Governors, or any agency or organization receiving a copy directly from the Office of\nInspector General. No secondary distribution may be made, in whole or in part, outside the Department of State or\nthe Broadcasting Board of Governors, by them or by other agencies of organizations, without prior authorization by\nthe Inspector General. Public availability of the document will be determined by the Inspector General under the\nU.S. Code, 5 U.S.C. 552. Improper disclosure of this report may result in criminal, civil, or administrative penalties.\n\n\n\n\n                                              UNCLASSIFIED\n\x0c                                                                 United States Department of State\n                                                                 and the Broadcasting Board of Governors\n\n                                                                 Office of Inspector General\n\n\n\n                                             PREFACE\n\n\n        This report is being transmitted pursuant to the Inspector General Act of 1978, as\namended, and Section 209 of the Foreign Service Act of 1980, as amended. It is one of a series\nof audit, inspection, investigative, and special reports prepared as part of the Office of Inspector\nGeneral\'s (OIG) responsibility to promote effective management, accountability, and positive\nchange in the Department of State and the Broadcasting Board of Governors.\n\n\n        In accordance with the Federal Information Security Management Act of 2002 (FISMA),\nOIG performed an audit of the Broadcasting Board of Governors Information Security Program\nfor FY 2012. To perform this review, OIG contracted with the independent public accountant\nWilliams, Adley & Company-DC, LLP. The management letter is based on interviews with\nemployees and officials of relevant agencies and institutions, direct observation, and a review of\napplicable documents. The management letter contains identified weaknesses in information\nsecurity that did not meet the criteria for inclusion in the annual FISMA report but require\nmanagement action.\n\n\n        The independent public accountant identified weaknesses in security training and the\ncontingency planning process.\n\n\n        OIG evaluated the nature, extent, and timing of the independent public accountant\'s\nwork; monitored progress throughout the audit; reviewed supporting documentation; evaluated\nkey judgments; and performed other procedures      as   appropriate. OIG concurs with the findings,\nand the recommendations contained in the management letter were developed based on the best\nknowledge available and d\xef\xbf\xbdscussed in draft form with those individuals responsible for\nimplementation. OIG\'s analysis of management\'s response to the recommendations has been\nincorporated into the report. OIG trusts that this report will result in more effective, efficient,\nand/or economical operations.\n\n\n        I express my appreciation to all of the individuals who contributed to the preparation of\nthis report.\n\n\n\n\n                                          Harold W. Geisel\n                                          Deputy Inspector General\n\x0c\xef\xbf\xbd l f \xef\xbf\xbd 11 WILLIAMS\nl i j. 1 ADLEY\n\n\n              Audit of the Broadcasting Board of Governors Information Security Program\n\n\n\n\nNovember 7, 2012\n\n\nOffice of Inspector General\nU.S. Department of State\nWashington, DC\n\n\nWilliams, Adley & Company-DC, LLP has performed an audit of the Broadcasting Board of\nGovernors\' (BBG) Information Security Program.                       We audited the BBG compliance with the\nFederal Information Security Management Act, Office of Management and Budget requirements\nand National Institute of Standards and Technology standards.                            We performed this audit under\nContract No. SAQMMA10F2159. The audit was designed to meet the objectives described in the\nreport.\n\n\nWe conducted this performance audit in accordance with Government Auditing Standards, issued\nby the Comptroller General of the United States. We communicated the results of our audit and the\nrelated findings and recommendations to the U.S. Department of State Office oflnspector General.\n\n\nWe appreciate the cooperation provided by BBG personnel during the audit.\n\n\n\n\n                                       WILLIAMS, ADLEY & COMPANY-DC, LLP\n                                Certified Public Accountants I Management Consultants\n          1030 15th Street, NW, Suite 350 West   \xe2\x80\xa2   Washington, DC 20005     \xe2\x80\xa2   (202) 371-1397   \xe2\x80\xa2   Fax: (202) 371-9161\n                                                     www.williamsadley .com\n\x0c                                        UNCLASSIFIED\n\n____________________________________________________________________________________________\nAcronyms\n\nAC                Access Control\nAD                Windows Active Directory\nAT                Awareness and Training\nBBG               Broadcasting Board of Governors\nCIO               Chief Information Officer\nCM                Configuration Management\nDHS               Department of Homeland Security\nFIPS              Federal Information Processing Standards\nFISMA             Federal Information Security Management Act\nGAGAS             Generally Accepted Government Auditing Standards\nGAO               Government Accountability Office\nIT                information technology\nNIST              National Institute of Standards and Technology\nOCB               Office of Cuba Broadcasting\nOIG               Office of Inspector General\nOMB               Office of Management and Budget\nPM                Program Management\nPOA&M             Plans of Action and Milestones\nPS                Personnel Security\nSP                Special Publication\nUS-CERT           United States Computer Emergency Response Team\n\n\n\n\n                                        UNCLASSIFIED\n\x0c                                                           UNCLASSIFIED\n\n\n                                                     TABLE OF CONTENTS\n\nExecutive Summary ........................................................................................................................ 1\nBackground ..................................................................................................................................... 4\nObjective ....................................................................................................................................... 4\nResults of Audit .............................................................................................................................. 4\nFinding A. Security Standards and Procedures Need To Be Implemented and Enforced ............. 4\nFinding B. Chief Information Officer Lacks Compliance Enforcement Authority ....................... 6\nFinding C. User Account Management Controls Need Improvement ........................................... 7\nFinding D. Security Incidents Are Not Timely Reported to the United States Computer\n          Emergency Readiness Team ......................................................................................... 8\nFinding E. Compliance With Security Awareness Training Program Is Not Strictly Enforced.... 9\nFinding F. Plans of Action and Milestones Are Not Properly Completed .................................. 10\nFinding G. Remote Access to the Network Is Not Properly Managed and Controlled ............... 12\nFinding H. System Inventory Management Process Needs To Be Implemented ........................ 13\nFinding I. Enterprise-Wide and System-Specific Contingency Plans Do Not Exist ................... 14\nList of Current Year Recommendations ....................................................................................... 16\nA.Scope and Methodology............................................................................................................ 18\nB. Followup of Recommendations From the FY 2011 Evaluation of the Broadcasting Board of\n          Governors Information Security Program .................................................................. 22\nC. Broadcasting Board of Governors Response ........................................................................... 25\n\n\n\n\n                                                           UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n\n                                       Executive Summary\n\n        In accordance with the Federal Information Security Management Act of 2002\n(FISMA), 1 the Office of Inspector General (OIG) contracted with Williams, Adley & Company,\nLLP (referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this report), to perform an independent audit of the Broadcasting\nBoard of Governors (BBG) Information Security Program\xe2\x80\x99s compliance with Federal laws,\nregulations, and standards established by FISMA, the Office of Management and Budget\n(OMB), and the National Institute of Standards and Technology (NIST). Additionally, the\nresults are designed to assist OIG in providing responses to the Department of Homeland\nSecurity (DHS) FY 2012 Inspector General Federal Information Security Management Act\nReporting Metrics, dated March 6, 2012.\n\n        We reviewed BBG\xe2\x80\x99s remedial actions taken to address the FY 2011 reported information\nsecurity program control weaknesses identified in OIG\xe2\x80\x99s FY 2011 report Evaluation of the\nBroadcasting Board of Governors Information Security Program (AUD/IT/IB-12-15, November\n2011). The statuses of the FY 2011 evaluation recommendations are in Appendix B. Since FY\n2011, BBG has taken the following steps to improve management controls:\n\n        \xe2\x80\xa2   Implemented security tools and procedures to perform routine vulnerability\n            assessments across the BBG network.\n        \xe2\x80\xa2   Developed policies and procedures to limit and manage the use of shared, test,\n            and guest user accounts.\n\n        Overall, we found that BBG had continued its efforts to further develop its information\nsecurity program. However, we identified control weaknesses that, if exploited, could adversely\naffect the confidentiality, integrity, and availability of information and information systems.\nFurther, we found that BBG had not taken corrective action to remediate all of the control\nweaknesses identified in the FY 2011 FISMA report. To improve the information security\nprogram and to bring the program into compliance with FISMA, OMB, and NIST requirements,\nBBG should address the control weaknesses discussed.\n\n       BBG did not fully develop security procedures and guidance to govern configuration\nmanagement processes, the absence of which may lead to ineffectual systems security and\ninconsistent performance. We are recommending that the Chief Information Officer (CIO)\nensure that security configuration standards and procedures are completed, as required by NIST\nSpecial Publication (SP) 800-53, Revision 3. 2\n\n        Although BBG\'s Information Technology Department provided services and guidelines\nto the Office of Cuba Broadcasting (OCB), BBG\xe2\x80\x99s CIO did not possess the authority to enact\nconsequences for noncompliance with BBG security requirements, potentially exposing BBG\xe2\x80\x99s\nnetwork and systems to risks and vulnerabilities. We are recommending that BBG develop and\n1Pub. L. No. 107-347, tit. III, 116 Stat. 2946 (2002).\n2NIST SP 800-53, Rev. 3, \xe2\x80\x9cRecommended Security Controls for Information Systems and Organizations,\xe2\x80\x9d Aug.\n2009 (updated through May 2010).\n                                                     1\n\n                                           UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\nimplement policies to require all agencies with systems that connect to the BBG network to\nfollow established BBG security policies. Further, we are recommending that BBG grant the\nCIO the necessary authority to enforce consequences for noncompliance.\n\n        BBG\xe2\x80\x99s user account management controls did not ensure that system access was provided\nto only authorized personnel. We observed the following management control deficiencies for\n\xe2\x80\x9cactive\xe2\x80\x9d user accounts in the Windows Active Directory 3 (AD): 93 accounts were not used for\nmore than 90 days, 31 accounts did not require the use of a password, and passwords for 411\naccounts were not changed for over 90 days. We are recommending that the CIO ensure that\nuser accounts are properly configured and maintained in accordance with existing BBG policies.\n\n        One of two security incidents that BBG identified and reported to the United States\nComputer Emergency Readiness Team (US-CERT) at DHS was reported three business days\nafter observation rather than within one business day after observation, as required by US-CERT.\nWithout timely reporting of security incidents to US-CERT, BBG may adversely impact US-\nCERT\xe2\x80\x99s ability to improve the nation\xe2\x80\x99s cybersecurity. We are recommending that the CIO\nensure that BBG Computer Security Incident Management Policy procedures are followed and\nsecurity incidents are reported in a timely manner, as required by US-CERT.\n\n        Less than 25 percent of BBG\xe2\x80\x99s personnel completed security awareness training in FY\n2011, yet BBG did not sanction employees and contractors who did not complete the annual\nsecurity awareness training course. Without the completion of initial and annual security\nawareness training, personnel may be unaware of new risks that may compromise the\nconfidentiality, integrity, and availability of information. We are recommending that the CIO\ndevelop and implement a formal sanction process for personnel who do not successfully\ncomplete required security awareness training.\n\n        Although BBG had implemented revisions to its Plans of Action and Milestones\n(POA&M) program, the completed POA&Ms did not consistently provide sufficient detailed\ninformation. Without a robust POA&M program that includes sufficient details for managing\nand tracking corrective actions, BBG\xe2\x80\x99s information technology (IT) management may be unable\nto properly assess and implement corrective activities and may be unable to prevent security\nissues from being resolved in a timely manner. We are recommending that the CIO ensure that\nthe BBG POA&M program is fully developed to include data elements required by OMB\nMemorandum M-02-01. 4\n\n        BBG\xe2\x80\x99s remote access policy allowed users to access the BBG network from personally\nowned computers using software provided by BBG. However, BBG had not implemented\nprocedures to ensure that remote access was granted only to computers that had proper security\nsafeguards. Without proper policies and procedures that require the use of properly secured\nthird-party devices, BBG network and systems may be susceptible to the introduction of viruses,\n\n3 Windows Active Directory (AD), a technology created by Microsoft, provides a variety of network services, such\nas identification and authentication, directory access, and other network services.\n4 OMB Memorandum M-02-01, \xe2\x80\x9cGuidance for Preparing and Submitting Security Plans of Action and Milestones,\xe2\x80\x9d\nOct. 17, 2001.\n                                                       2\n\n                                             UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\nworms, or other malicious code. We are recommending that the CIO implement procedures to\nassess the security configurations of third-party devices requesting access to the BBG network\nand grant access only to properly configured devices, as required by NIST SP 800-53, Revision\n3. 5\n\n        BBG did not implement a process or procedure to fully manage and routinely update its\ninventory of IT assets at least annually or when changes were made to its systems. Without a\nprocess to identify, document, and maintain an inventory of major and minor applications, as\nwell as general support systems, BBG may not have an accurate accounting of its IT assets and\nthe related system interfaces and underlying support systems. We are recommending that the\nCIO create and implement a standardized process to collect information, update the BBG system\ninventory and update the general support system\xe2\x80\x99s security plan control, as required by NIST SP\n800-53, Revision 3. 6\n\n        BBG did not develop and implement contingency planning and testing policies and\nprocedures compliant with OMB requirements and requirements contained in NIST SP 800-34,\nRevision 1, \xe2\x80\x9cContingency Planning Guide for Federal Information Systems.\xe2\x80\x9d Specifically, BBG\ndid not complete its enterprise-wide and system-specific contingency plans or conduct\ncontingency tests. Without an effective contingency plan, BBG may be unable to access critical\ninformation and resources and perform mission-critical business functions in the event of an\nextended outage and/or disaster. We are recommending that the CIO ensure that contingency\nplanning policies and procedures be developed and implemented and that personnel responsible\nfor network and systems recovery complete training and perform periodic testing.\n\n        Although this report contains nine recommendations, we believe the most significant\nsecurity deficiencies relate to security standards and procedures (Finding A), compliance\nenforcement authority (Finding B), Plans of Action and Milestones (Finding F), and enterprise-\nwide and system-specific contingency plans (Finding I).\n\n        In BBG\xe2\x80\x99s November 6, 2012, response (see Appendix C) to this report, BBG concurred\nwith all of the report\xe2\x80\x99s recommendations. Based on this information, the Office of Inspector\nGeneral (OIG) considers each recommendation resolved. BBG\xe2\x80\x99s responses and OIG\xe2\x80\x99s analyses\nare presented after each recommendation.\n\n\n\n\n5   NIST SP 800-53, Rev. 3, AC-17, \xe2\x80\x9cRemote Access.\xe2\x80\x9d\n6   NIST SP 800-53, Rev. 3, CM-8, \xe2\x80\x9cInformation System Component Inventory.\xe2\x80\x9d\n                                                      3\n\n                                             UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\n                                               Background\n\n        With the passage of FISMA, Congress recognized the importance of information security\nto the economic and national security interests of the United States and required each Federal\nagency to develop, document, and implement an agency-wide program to provide information\nsecurity for the information systems that support the operations and assets of the agency,\nincluding those provided or managed by another agency, contractor, or source. FISMA provides\na comprehensive framework for establishing and ensuring the effectiveness of management,\noperational, and technical controls over IT that supports Federal operations and assets, and it\nprovides a mechanism for improved oversight of Federal agency information security programs.\n\n       To strengthen information system security, FISMA assigns specific responsibilities to\nDHS, NIST, OMB, and other Federal agencies. In particular, FISMA requires the head of each\nagency to implement policies and procedures to cost effectively reduce IT security risks to an\nacceptable level. To ensure the adequacy and effectiveness of information system controls,\nFISMA requires agency program officials, chief information officers, senior agency officials for\nprivacy, and inspectors general to conduct annual reviews of the agency\xe2\x80\x99s information security\nprogram and report the results to DHS.\n\n        On an annual basis, OMB provides guidance with reporting categories and questions to\nmeet the current year\xe2\x80\x99s reporting requirements. 7 OMB uses responses to its questions to assist in\nits oversight responsibilities and to prepare its annual report to Congress on agency compliance\nwith FISMA.\n\n                                                 Objective\n       The objective of this audit was to perform an independent evaluation of BBG\xe2\x80\x99s\ninformation security program and practices for FY 2012, which included testing the effectiveness\nof security controls for a subset of systems, as required.\n\n                                             Results of Audit\n        Overall, we found that BBG made progress in FY 2012 toward developing its information\nsecurity program, but significant challenges remain. BBG needs to address several control\nweaknesses as described to bring the information security program into compliance with FISMA,\nOMB, and NIST requirements.\n\nFinding A. Security Standards and Procedures Need To Be Implemented and\nEnforced\n       As first identified during the FY 2010 Review of the Information Security Program at the\nBroadcasting Board of Governors (AUD/IT-10-09, November 2009), BBG did not complete the\ndevelopment of procedures and guidance to govern routine and critical configuration\n\n7   DHS FY 2012 Inspector General Federal Information Security Management Act Reporting Metrics.\n                                                       4\n\n                                              UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\n\nmanagement processes during Fiscal Year 2012, although BBG was in the process of gathering\nsystem information for the development of its standard baseline configurations.\n\n       According to NIST SP 800-53, Revision 3, CM-1, \xe2\x80\x9cConfiguration Management [CM]\nPolicy and Procedures,\xe2\x80\x9d the organization develops, disseminates, and periodically reviews and\nupdates:\n\n       a. A formal, documented, configuration management policy that addresses\n       purpose, scope, roles, responsibilities, management commitment, coordination\n       among organizational entities, and compliance; and\n\n       b. Formal, documented procedures to facilitate the implementation of the\n       configuration management policy and associated configuration management\n       controls.\n\n        BBG\'s IT management stated that a lack of human resources hindered their ability to\ncomplete the implementation of the security standards and procedures. BBG\xe2\x80\x99s IT management\nfurther stated that systems were being retired in an effort to improve standardization.\n\n         Without detailed procedures and guidance to govern the performance of routine and\ncritical configuration management processes, BBG may not be able to effectively secure its\nsystems, which may lead to the introduction of security weaknesses and inconsistent\nperformance.\n\n       Recommendation 1. We recommend that the Chief Information Officer ensure that\n       security configuration standards and procedures are completed, as required by the\n       National Institute of Standards and Technology Special Publication 800-53, Revision 3.\n\n       Management Comments: BBG concurred with the recommendation, stating that it had\n       \xe2\x80\x9ccreated and filled a Change Manager Position within TSI\xe2\x80\x99s IT Directorate to address\n       configuration standards and procedures.\xe2\x80\x9d BBG further stated that through the Change\n       Manager\xe2\x80\x99s efforts, \xe2\x80\x9cTSI is adopting change management policy and processes consistent\n       with Information Technology Information Library standards\xe2\x80\x9d and that TSI has acquired\n       Microsoft\xe2\x80\x99s System Center Configuration Manager (MS SCCM) for configuration\n       management of agency servers and workstations.\xe2\x80\x9d According to BBG, configuration\n       planning for the MS SCCM implementation is underway; \xe2\x80\x9cfull production system\n       utilization\xe2\x80\x9d is expected by March 31, 2013; and the CIO will oversee testing of MS\n       SCCM and the development of associated processes.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n       be closed when OIG reviews and approved documentation showing security\n       configuration standards and procedures have been developed and implemented.\n\n\n\n                                               5\n\n                                      UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\n\nFinding B. Chief Information Officer Lacks Compliance Enforcement\nAuthority\n       Although BBG\'s IT Department provided services and guidelines to the Office of Cuba\nBroadcasting (OCB), BBG\xe2\x80\x99s CIO did not have the authority to enforce security requirements at\nOCB or enact consequences for noncompliance. Instead, OCB maintained responsibility for the\nconfiguration of its systems and the assignment of access to its systems. As a result, BBG had\nno assurance that OCB\xe2\x80\x99s systems that connected to the BBG network were configured with\nadequate preventative and detective safeguards.\n\n   According to NIST SP 800-53, Revision 3, PM-1, \xe2\x80\x9cInformation Security Program Plan,\xe2\x80\x9d the\norganization:\n\n       Develops and disseminates an organization-wide information security program\n       plan that provides an overview of the requirements for the security program and a\n       description of the security program management controls and common controls in\n       place or planned for meeting those requirements.\n\n        NIST SP 800-53, Revision 3, PM-2, \xe2\x80\x9cSenior Information Security Officer,\xe2\x80\x9d further states\nthat \xe2\x80\x9cthe organization appoints a senior information security officer with the mission and\nresources to coordinate, develop, implement, and maintain an organization-wide information\nsecurity program.\xe2\x80\x9d\n\n       OCB, which directs the operations of Radio and TV Mart\xc3\xad, reports directly to the BBG\nBoard of Governors and not to BBG\xe2\x80\x99s CIO. Although BBG\xe2\x80\x99s IT Department provided services\nto OCB, as mandated by the Board of Governors, BBG\xe2\x80\x99s CIO cannot enforce its security\nrequirements because of this reporting structure.\n\n        Without the authority to enforce BBG\xe2\x80\x99s security policies and procedures for all systems\nthat access the BBG network, BBG\xe2\x80\x99s CIO cannot ensure that security controls are properly\nmanaged and maintained. As a result, systems may operate in the production environment\nwithout appropriate controls or management oversight, exposing BBG\xe2\x80\x99s network and systems to\nadditional risks and vulnerabilities.\n\n       Recommendation 2. We recommend that the Broadcasting Board of Governors develop\n       and implement policies to require all agency entities with systems that connect to the\n       Broadcasting Board of Governors network to abide by the security policies and\n       requirements established by the Broadcasting Board of Governors Information\n       Technology Department and grant the Chief Information Officer the necessary authority\n       to enforce consequences for noncompliance.\n\n       Management Comments: BBG concurred with the recommendation, stating that the\n       CIO \xe2\x80\x9cwill attempt to strengthen the IT security controls over all Federal BBG elements,\xe2\x80\x9d\n       which include the International Broadcasting Bureau, OCB, and the Voice of America,\n                                               6\n\n                                      UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\n\n         which connect to the BBG\xe2\x80\x99s Wide Area Network (WAN). BBG further stated that\n         \xe2\x80\x9ccompensating controls will be put in place to ensure an acceptable risk level\xe2\x80\x9d for BBG\n         \xe2\x80\x9c[i]f full compliance cannot be met\xe2\x80\x9d and that the CIO \xe2\x80\x9cwill continue to assess progress.\xe2\x80\x9d\n\n         OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n         be closed pending OIG\xe2\x80\x99s review and approval of documentation showing that BBG\xe2\x80\x99s\n         policies and procedures require all agency entities with systems that connect to the\n         Broadcasting Board of Governors network to abide by the security policies and\n         requirements.\n\nFinding C. User Account Management Controls Need Improvement\n        As first identified during the FY 2010 review, 8 BBG\xe2\x80\x99s user account management controls\ndid not ensure that access was provided to authorized personnel only. Although BBG had\nimplemented new user account management controls in FY 2012, including policies and\nprocedures restricting the use of guest, test, and shared user accounts, we observed the following\naccount management control deficiencies: Of 3,551 \xe2\x80\x9cactive\xe2\x80\x9d user accounts in AD, 93 accounts\nwere not accessed for more than 90 days, 31 accounts did not require the use of a password, and\npasswords for 411 accounts were not changed for over 90 days.\n\n        BBG policy9 requires system owners to implement the policy and procedures for\nmanaging access to IT systems, including creating, deleting, and monitoring user accounts and\nestablishing processes to disable user accounts that have been inactive for 45 days or more. In\nrespect to password management, BBG policy 10 for all information systems and information\nsystem components requires passwords to be constructed according to set length and complexity\nrequirements and requires passwords to be changed every 90 days.\n\n        BBG management stated that its previous use of older technology had prevented BBG\nfrom segmenting its users, effectively requiring manual intervention to process exceptions to its\nstated policies. Exceptions to the stated policies were granted for user accounts that did not\nroutinely log in to the network. BBG management also stated that some user accounts were\nimproperly configured during the migration to Microsoft Office 365. 11\n\n        Without more stringent user account management controls, the risk of unauthorized use\nof user accounts and thus unauthorized access to systems, increases significantly. Unauthorized\naccess to systems may result in the submission of false transactions, improper access to and\ndissemination of confidential data, and other malicious activities.\n\n\n\n8 AUD/IT-10-09, Nov. 2009.\n9 Identification and Authentication Policy, Apr. 1, 2011, revised Mar. 27, 2012.\n10 BBG/IBB/VOA Password Policy, Feb. 1, 2011.\n11 Microsoft Office 365, a hosted service provided by Microsoft, offers virtual access to Microsoft solutions, such as\nemail, calendars, Web-based applications, instant messaging, conferencing, and file sharing.\n                                                          7\n\n                                               UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\n          Recommendation 3. We recommend that the Chief Information Officer ensure that user\n          accounts are properly configured and maintained in accordance with the Broadcasting\n          Board of Governors policies. If the Broadcasting Board of Governors determines that\n          exceptions to the implemented policies may be necessary, the Broadcasting Board of\n          Governors should identify, assess, and document the associated risks. If the Broadcasting\n          Board of Governors further determines that the identified risks are acceptable, the\n          exceptions should be documented and approved by information technology management.\n\n          Management Comments: BBG concurred with the recommendation, stating that the\n          CIO \xe2\x80\x9cwill review and strengthen IT processes that manage user accounts\xe2\x80\x9d and that it\n          \xe2\x80\x9cstrongly believes that the \xe2\x80\x9caccount irregularities\xe2\x80\x9d OIG observed during the audit\n          \xe2\x80\x9cresulted from temporary transition issues caused by migration of agency mail accounts\n          and VPN [virtual private network] token vendors.\xe2\x80\x9d BBG stated that it expected the\n          recommendation to be complied with by January 31, 2013.\xe2\x80\x9d\n\n          OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n          be closed with OIG reviews and approved documentation showing that a process has\n          been implemented to properly configure and maintain user accounts, including the\n          disabling of user accounts that are no longer needed.\n\nFinding D. Security Incidents Are Not Timely Reported to the United States\nComputer Emergency Readiness Team\n        One of two security incidents that BBG identified and reported to US-CERT at DHS was\nnot reported in accordance with US-CERT\xe2\x80\x99s reporting requirements. The incident, which\npertained to the identification of malicious code, was not reported within one business day, as\nrequired by US-CERT. Rather, BBG reported the incident three business days after it was\nidentified.\n\n        The US-CERT Federal Incident Reporting Guidelines and NIST SP 800-61, Revision 1, 12\nrequire the following information:\n\n                                                                                       Reporting Time\n     Category          Name                          Description\n                                                                                            Frame\n     CAT 3           Malicious     Successful installation of malicious                Daily\n                     Code          software (e.g., virus, worm, Trojan horse,\n                                   or other code-based malicious entity) that          Note: Within one\n                                   infects an operating system or application.         (1) hour of\n                                   Agencies are NOT required to report                 discovery/detecti\n                                   malicious logic that has been successfully          on if widespread\n                                   quarantined by antivirus software.                  across agency.\n\n\n12 NIST   SP 800-61, Rev. 1, \xe2\x80\x9cComputer Security Incident Handling Guide,\xe2\x80\x9d Mar. 2008.\n                                                        8\n\n                                              UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n       Further, BBG policy 13 requires BBG\xe2\x80\x99s Computer Security Incident Response Team to\ncategorize and report security incidents in accordance with US-CERT and NIST SP 800-61. 14\n\n       Although the security incident had been properly recorded in BBG\xe2\x80\x99s incident tracking\nsystem, reporting to US-CERT was delayed as BBG conducted its assessment. BBG\xe2\x80\x99s IT\nmanagement stated that they were focused on identifying the cause of the problem and\nsubsequently remediating the identified weakness, which delayed reporting.\n\n       Without timely reporting of security incidents to US-CERT, BBG may adversely impact\nUS-CERT\xe2\x80\x99s ability to improve the Nation\'s cybersecurity posture, coordinate cyber information\nsharing, and proactively manage cyber risks.\n\n        Recommendation 4. We recommend that the Chief Information Officer ensure that\n        procedures as stated within the Broadcasting Board of Governors Computer Security\n        Incident Management Policy are followed to ensure that security incidents are properly\n        reported, as required by the United States Computer Emergency Readiness Team\xe2\x80\x99s\n        Federal Incident Reporting Guidelines.\n\n        Management Comments: BBG concurred with the recommendation, stating that the\n        CIO \xe2\x80\x9chas taken steps to implement this policy immediately.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n        be closed pending OIG review and approval of documentation showing that security\n        incidents are properly reported as required.\n\nFinding E. Compliance With Security Awareness Training Program Is Not\nStrictly Enforced\n        As first reported in the FY 2010 review, 15 BBG did not sanction employees and\ncontractors who had not completed the annual security awareness training course. Specifically,\nless than 25 percent of BBG personnel completed security awareness training in FY 2011. At\nthe completion of our onsite verification in July 2012, BBG had just started its annual security\nawareness training program to include both online and in-person training. Although 3 months\nremained in the fiscal year during which BBG personnel could complete the training,\nconsequences for noncompliance had not been implemented.\n\n       OMB Memorandum M-12-20, \xe2\x80\x9cFY 2012 Reporting Instructions for the Federal\nInformation Security Management Act and Agency Privacy Management,\xe2\x80\x9d Oct. 2, 2012,\nrequires \xe2\x80\x9call employees to receive annual security and privacy awareness training, and\nthey must be included as part of [an] agency\xe2\x80\x99s training totals.\xe2\x80\x9d\n\n13 Computer Security Incident Management Policy, May 16, 2011, revised Jan. 11, 2012.\n14 NIST SP 800-61, Rev. 1, \xe2\x80\x9cComputer Security Incident Handling Guide,\xe2\x80\x9d Mar. 2008.\n15 AUD/IT-10-09, Nov. 2009.\n\n                                                      9\n\n                                            UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n        Regarding compliance with policies and procedures, NIST SP 800-53, Revision 3,\nPersonnel Sanctions (PS-8), states, \xe2\x80\x9cThe organization employs a formal sanctions process\nfor personnel failing to comply with established information security policies and\nprocedures.\xe2\x80\x9d\n\n        BBG\xe2\x80\x99s IT management stated that compliance with the security awareness training policy\nhad not been implemented because of concerns about possible disruption of BBG\xe2\x80\x99s mission and\nemployees\xe2\x80\x99 job responsibilities if user access was restricted. BBG\xe2\x80\x99s IT management further\nstated that in-person training presentations had been developed to increase compliance.\n\n       Without the completion of initial and annual security awareness training, personnel may\nbe unaware of new risks that may compromise the confidentiality, integrity, and availability of\ninformation. As a result, personnel may be unable to recognize and respond appropriately to real\nand potential security threats.\n\n       Recommendation 5. We recommend that the Chief Information Officer develop and\n       implement a formal sanction process for personnel who do not successfully complete the\n       security awareness training, as required by the National Institute of Standards and\n       Technology Special Publication 800-53, Revision 3.\n\n       Management Comments: BBG concurred with the recommendation, stating that the\n       CIO and BBG\xe2\x80\x99s leadership team \xe2\x80\x9chave taken steps to implement strict discipline\n       measures effective this year with the current cycle of the IT security awareness training.\xe2\x80\x9d\n       BBG further stated that on the security awareness training deadline (October 31, 2012),\n       TSI\xe2\x80\x99s IT Directorate notified BBG users and their direct supervisors that IT was\n       \xe2\x80\x9cprepared to disable their computer accounts\xe2\x80\x9d if the employees did not complete the\n       required training by November 2, 2012. BBG stated that the extension was provided\n       because of \xe2\x80\x9cpotential hardships\xe2\x80\x9d caused by Hurricane Sandy. BBG stated its compliance\n       rate of 92 percent versus its 2011 rate of 25 percent and stated that \xe2\x80\x9csenior management\n       has been apprised of the email message sent to impacted employees.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n       be closed pending OIG review and approval of the revised security awareness training\n       policy showing the enforcement actions to be taken for noncompliant personnel.\n\nFinding F. Plans of Action and Milestones Are Not Properly Completed\n        Although BBG implemented revisions to its POA&M program, the completed POA&Ms\ndid not consistently provide sufficient detail, such as the resources required to address the\nsecurity weaknesses, milestones used to measure progress toward completion, and changes to the\nmilestones when corrective actions were not completed or were past due.\n\n\n\n\n                                               10\n\n                                       UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n         OMB Memorandum M-12-20 16 states, \xe2\x80\x9cWhile agencies are no longer required to follow\nthe exact format prescribed in the POA&M examples in OMB Memorandum 04-25, they must\nstill include all of the associated data elements in their POA&Ms.\xe2\x80\x9d\n\n         Regarding the data elements required in the POA&M, OMB Memorandum M-04-25 17\nstates that the following information must be included:\n\n        \xe2\x80\xa2   Severity and brief description of the weakness.\n        \xe2\x80\xa2   Identity of the office or organization responsible for resolving the weakness.\n        \xe2\x80\xa2   Estimated funding and personnel required to resolve the weakness.\n        \xe2\x80\xa2   Scheduled completion date for resolving the weakness.\n        \xe2\x80\xa2   Key milestones with completion dates.\n        \xe2\x80\xa2   Changes to milestones, including new completion dates for the changed milestone.\n        \xe2\x80\xa2   The source of the weakness (for example, program review, OIG audit, or GAO audit).\n        \xe2\x80\xa2   Status (for example, ongoing or completed).\n\n     Further, BBG policy 18 requires BBG\xe2\x80\x99s PO&AMs to include the data elements stated in\nOMB Memorandum M-02-01. 19\n\n         BBG\xe2\x80\x99s IT management stated that the development of its POA&M program was a \xe2\x80\x9cwork\nin progress\xe2\x80\x9d and that the POA&M program had not included \xe2\x80\x9csuch granular project\nmanagement\xe2\x80\x9d because of the relatively small number of personnel involved in the remediation\nefforts, as well as the frequent meetings held among the responsible personnel.\n\n        Without a robust POA&M program that includes sufficient details for managing and\ntracking corrective actions, BBG\xe2\x80\x99s IT management may be unable to properly assess the statuses\nof corrective activities. As a result, BBG may encounter delays in the implementation of\ncorrective actions, preventing security issues from being resolved in a timely manner.\nAdditionally, IT management may be unable to properly assess and prioritize the resources\nrequired to implement corrective actions.\n\n        Recommendation 6. We recommend the Chief Information Officer ensure that the\n        Broadcasting Board of Governors Plans of Action and Milestones program is developed\n        in accordance with its policy, which requires the Broadcasting Board of Governors Plans\n        of Action and Milestones to include the data elements found in Office of Management\n        and Budget Memorandum M-02-01.\n\n        Management Comments: BBG concurred with the recommendation, stating, \xe2\x80\x9cThe CIO\n        will expand on the data elements contained in the POA&M tracking sheet as efforts\n16 OMB Memorandum M-12-20, Oct. 2, 2012.\n17 OMB Memorandum M-04-25, \xe2\x80\x9cFY 2004 Reporting Instructions for the Federal Information Security\nManagement Act,\xe2\x80\x9d Aug. 23, 2004.\n18 Information Security Plan of Action and Milestones (POA&M) Policy, May 12, 2010, revised Feb. 9, 2012.\n19 OMB Memorandum M-02-01, Oct. 17, 2001.\n\n                                                      11\n\n                                            UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n\n          continue to mature internal IT project governance.\xe2\x80\x9d BBG further stated that this\n          improvement will be reflected on \xe2\x80\x9cthe March 2013 quarterly cycle of POA&M tracking\n          sheets.\xe2\x80\x9d\n\n          OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n          be closed pending OIG review and approval of documentation showing that POA&Ms\n          are being reviewed and updated periodically and that they include the data elements\n          required by BBG policy.\n\nFinding G. Remote Access to the Network Is Not Properly Managed and\nControlled\n        As first identified during the FY 2010 review, 20 BBG\xe2\x80\x99s remote access policy allowed\nusers to access the BBG network from personally owned computers using software provided by\nBBG. However, BBG had not implemented procedures to ensure that remote access was granted\nonly to computers that had proper security safeguards.\n\n          NIST SP 800-53, Revision 3, AC-17, \xe2\x80\x9cRemote Access,\xe2\x80\x9d states the following:\n\n          Control: The organization:\n\n          a. Documents allowed methods of remote access to the information system;\n          b. Establishes usage restrictions and implementation guidance for each allowed\n          remote access method;\n          c. Monitors for unauthorized remote access to the information system;\n          d. Authorizes remote access to the information system prior to connection; and\n          e. Enforces requirements for remote connections to the information system.\n\n        BBG\xe2\x80\x99s IT management stated that a process had been drafted and a software tool had\nbeen identified that will detect and scan the security settings of computers attempting to access\nthe BBG network remotely and deny requests from computers with improper safeguards.\nHowever, BBG IT management stated that the tool had not been implemented because of\nongoing changes to the remote access process, as well as the need to direct available resources to\nother IT projects.\n\n       Without proper policies and procedures that require the use of properly secured third-\nparty devices, BBG network and systems may be susceptible to the introduction of viruses,\nworms, or other malicious code by such third-party devices.\n\n          Recommendation 7. We recommend that the Chief Information Officer implement\n          procedures to assess the adequacy of the security configurations of third-party devices\n          that request access to the Broadcasting Board of Governors network and grant access\n\n20   AUD/IT-10-09, Nov. 2009.\n                                                  12\n\n                                          UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n\n          only to properly configured devices, as required by the National Institute of Standards\n          and Technology Special Publication 800-53, Revision 3.\n\n          Management Comments: BBG concurred with the recommendation, stating that the\n          CIO would \xe2\x80\x9cdevelop the process and initiate planning and testing of the tool procured to\n          assess the adequacy of the security configurations of third-party devices that request\n          access (generally through a Virtual Private Network [VPN]) to the BBG network.\xe2\x80\x9d BBG\n          further stated that access will be granted only to those devices whose configurations are\n          deemed sufficient by March 31, 2013.\xe2\x80\x9d\n\n          OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n          be closed pending OIG review and approval of documentation showing that BBG has\n          implemented the process to assess the adequacy of the security configurations of third-\n          party devices as described.\n\nFinding H. System Inventory Management Process Needs To Be\nImplemented\n       As first identified during the FY 2010 review, 21 BBG did not implement a process or\nprocedures to manage and routinely update its inventory of IT assets at least annually or when\nchanges were made to its systems. Although BBG had implemented a tool to record its system\ninventory, the corresponding process and procedures for developing and maintaining the system\ninventory had not been implemented.\n\n        FISMA requires the heads of each agency to develop and maintain an inventory of major\ninformation systems, including major national security systems, operated by or under the\nagency\xe2\x80\x99s control and to identify information systems in an inventory, including identifying the\ninterfaces between each system and all other systems or networks and those not operated by or\nunder the control of the agency. FISMA further requires the inventory to be updated at least\nannually, to be made available to the Comptroller General, and to be used to support information\nresources management. Additionally, NIST SP 800-53, Revision 3, CM-8, \xe2\x80\x9cInformation System\nComponent Inventory,\xe2\x80\x9d requires the following:\n\n          Control: The organization develops, documents, and maintains an inventory of\n          information system components that:\n\n          a. Accurately reflects the current information system;\n          b. Is consistent with the authorization boundary of the information system;\n          c. Is at the level of granularity deemed necessary for tracking and reporting;\n          d. Includes [Assignment: organization-defined information deemed necessary to\n              achieve effective property accountability]; and\n          e. Is available for review and audit by designated organizational officials.\n\n21   AUD/IT-10-09, Nov. 2009.\n                                                  13\n\n                                          UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n        BBG\xe2\x80\x99s IT management stated that the process and procedures for developing and\nmaintaining the system inventory had not been completed because of a lack of standards for the\nsystem inventory\xe2\x80\x99s information requirements. The lack of standards resulted in a great deal of\nvariety with the information that had been collected and supplied by system owners, for example,\nlicensing information and planned retirement dates.\n\n        Without a process to identify, document, and maintain an inventory of major and minor\napplications, as well as general support systems, BBG may not have an accurate accounting of its\nIT assets and the related system interfaces and underlying support systems. An inaccurate or\nincomplete asset inventory may also prohibit BBG from effectively implementing its continuous\nmonitoring program and practices, including performing vulnerability scans of its assets.\nAdditionally, critical management processes such as strategic planning, budgeting, system\nadministration, and resource management may be adversely affected.\n\n        Recommendation 8. We recommend that the Chief Information Officer ensure that the\n        Information Technology Director create and implement a standardized process to collect\n        information used to develop and subsequently update the Broadcasting Board of\n        Governors system inventory and update the general support system\xe2\x80\x99s security plan\n        control for CM-8, \xe2\x80\x9cInformation System Component Inventory,\xe2\x80\x9d specifically, the\n        organizationally defined frequency of inventory assessments, as required by the National\n        Institute of Standards and Technology Special Publication 800-53, Revision 3.\n\n        Management Comments: BBG concurred with the recommendation, stating that it had\n        acquired an inventory management software tool and was establishing internal tracking\n        processes. BBG further stated that although \xe2\x80\x9csignificant progress has been made,\xe2\x80\x9d full\n        implementation was not expected until March 31, 2013, and that the CIO would\n        \xe2\x80\x9ccontinue to oversee this effort.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n        be closed pending OIG review and approval of documentation showing that BBG has\n        implemented a system inventory process, including standards for collecting information\n        used to develop and subsequently update BBG\xe2\x80\x99s system inventory.\n\nFinding I. Enterprise-Wide and System-Specific Contingency Plans Do Not\nExist\n       As first identified during the FY 2010 review, 22 BBG did not develop and implement\ncontingency planning and testing policies and procedures compliant with OMB and NIST\nrequirements contained in NIST SP 800 34. 23 Specifically, BBG did not complete its enterprise-\nwide and system-specific contingency plans or conduct contingency tests.\n22AUD/IT-10-09, Nov. 2009.\n23NIST SP 800-34, Rev. 1, \xe2\x80\x9cContingency Planning Guide for Federal Information Systems,\xe2\x80\x9d May 2010 (last\nupdated Nov. 11, 2010).\n                                                     14\n\n                                            UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n\n\n        NIST SP 800-34, Revision 1, 24 states that information systems are \xe2\x80\x9cvital elements\xe2\x80\x9d in\nmost business functions and that \xe2\x80\x9cit is critical\xe2\x80\x9d that the services provided by these systems be\nable to operate effectively without excessive interruption. The NIST guidance 25 further states,\n\xe2\x80\x9cContingency planning supports this requirement by establishing thorough plans, procedures,\nand technical measures that can enable a system to be recovered as quickly and effectively as\npossible following a service disruption.\xe2\x80\x9d\n\n        BBG\xe2\x80\x99s IT management stated that although a strategic plan had been developed to\naddress BBG\xe2\x80\x99s contingency and business resumption needs, resources had not been appropriated\nfor the development of such policies, procedures, and the related contingency plans because of\nongoing changes to the system architecture and other competing priorities.\n\n         Without an effective contingency plan, which includes periodic testing of the plan\xe2\x80\x99s\nreliability, BBG may be unable to access critical information and resources and to perform\nmission-critical business functions in the event of an extended outage and/or disaster. As a\nresult, BBG may be unable to resume operations in an efficient and effective manner should such\nan incident occur.\n\n            Recommendation 9. We recommend that the Chief Information Officer ensure that the\n            Director of Disaster Recovery and Business Continuity develop and implement\n            contingency planning policies and procedures, develop contingency plans for the\n            Broadcasting Board of Governors infrastructure (network) and its major systems, provide\n            contingency planning training to personnel who are responsible for the recovery of the\n            network and systems, perform periodic testing of the Broadcasting Board of Governors\n            contingency plans, and update the plan based on lessons learned as required by National\n            Institute of Standards and Technology Special Publication 800-34, Revision 1.\n\n            Management Comments: BBG concurred with the recommendation, stating that it\n            \xe2\x80\x9cagrees to further develop contingency plans and increase investments in offsite systems\n            to be used for business continuity\xe2\x80\x9d. BBG further stated that \xe2\x80\x9c[t]o support and lead this\n            effort, the CIO is attempting to fill a Disaster Recovery and Business Continuity Manager\n            position. \xe2\x80\x9cIf full compliance cannot be met,\xe2\x80\x9d according to BBG, \xe2\x80\x9ccompensating controls\n            will be put in place to ensure an acceptable risk level for BBG\xe2\x80\x9d and the CIO \xe2\x80\x9cwill\n            continue to assess progress.\xe2\x80\x9d\n\n            OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n            be closed pending OIG review and approval of documentation showing the development\n            of contingency planning policies and procedures that include training requirements for\n            personnel responsible for the recovery of the network and systems and contingency plans\n            for the BBG infrastructure and its major systems.\n\n\n24   Ibid., p. 1.\n25   Ibid., p. 1.\n                                                   15\n\n                                           UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n                        List of Current Year Recommendations\nRecommendation 1. We recommend that the Chief Information Officer ensure that security\nconfiguration standards and procedures are completed, as required by the National Institute of\nStandards and Technology Special Publication 800-53, Revision 3.\n\nRecommendation 2. We recommend that the Broadcasting Board of Governors develop and\nimplement policies to require all agency entities with systems that connect to the Broadcasting\nBoard of Governors network to abide by the security policies and requirements established by\nthe Broadcasting Board of Governors Information Technology Department and grant the Chief\nInformation Officer the necessary authority to enforce consequences for noncompliance.\n\nRecommendation 3. We recommend that the Chief Information Officer ensure that user\naccounts are properly configured and maintained in accordance with the Broadcasting Board of\nGovernors policies. If the Broadcasting Board of Governors determines that exceptions to the\nimplemented policies may be necessary, the Broadcasting Board of Governors should identify,\nassess, and document the associated risks. If the Broadcasting Board of Governors further\ndetermines that the identified risks are acceptable, the exceptions should be documented and\napproved by information technology management.\n\nRecommendation 4. We recommend that the Chief Information Officer ensure that procedures\nas stated within the Broadcasting Board of Governors Computer Security Incident Management\nPolicy are followed to ensure that security incidents are properly reported, as required by the\nUnited States Computer Emergency Readiness Team\xe2\x80\x99s Federal Incident Reporting Guidelines.\n\nRecommendation 5. We recommend that the Chief Information Officer develop and implement\na formal sanction process for personnel who do not successfully complete the security awareness\ntraining, as required by the National Institute of Standards and Technology Special Publication\n800-53, Revision 3.\n\nRecommendation 6. We recommend the Chief Information Officer ensure that the\nBroadcasting Board of Governors Plans of Action and Milestones program is developed in\naccordance with its policy, which requires the Broadcasting Board of Governors Plans of Action\nand Milestones to include the data elements found in Office of Management and Budget\nMemorandum M-02-01.\n\nRecommendation 7. We recommend that the Chief Information Officer implement procedures\nto assess the adequacy of the security configurations of third-party devices that request access to\nthe Broadcasting Board of Governors network and grant access only to properly configured\ndevices, as required by the National Institute of Standards and Technology Special Publication\n800-53, Revision 3.\n\nRecommendation 8. We recommend that the Chief Information Officer ensure that the\nInformation Technology Director create and implement a standardized process to collect\ninformation used to develop and subsequently update the Broadcasting Board of Governors\nsystem inventory and update the general support system\xe2\x80\x99s security plan control for CM-8,\n                                              16\n\n                                        UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\n\n\xe2\x80\x9cInformation System Component Inventory,\xe2\x80\x9d specifically, the organizationally defined frequency\nof inventory assessments, as required by the National Institute of Standards and Technology\nSpecial Publication 800-53, Revision 3.\n\nRecommendation 9. We recommend that the Chief Information Officer ensure that the Director\nof Disaster Recovery and Business Continuity develop and implement contingency planning\npolicies and procedures, develop contingency plans for the Broadcasting Board of Governors\ninfrastructure (network) and its major systems, provide contingency planning training to\npersonnel who are responsible for the recovery of the network and systems, perform periodic\ntesting of the Broadcasting Board of Governors contingency plans, and update the plan based on\nlessons learned as required by National Institute of Standards and Technology Special\nPublication 800-34, Revision 1.\n\n\n\n\n                                             17\n\n                                      UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n\n\n                                                                                              Appendix A\n                                    A.Scope and Methodology\n        In order to fulfill its responsibilities related to the Federal Information Security\nManagement Act of 2002 (FISMA), 1 the Office of Inspector General (OIG), Office of Audits,\ncontracted with Williams, Adley & Company, LLP (referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this appendix), an\nindependent public accountant, to evaluate the Broadcasting Board of Governors (BBG)\ninformation security program and practices to determine the effectiveness of such programs and\npractices for FY 2012. The OIG and Williams, Adley & Company-DC, LLP, held an exit\nconference with BBG management on November 7, 2012.\n\n        FISMA requires each Federal agency to develop, document, and implement an agency-\nwide program to provide information security for the information systems that support the\noperations and assets of the agency, including those provided or managed by another agency or\ncontractor or another source. To ensure the adequacy and effectiveness of these controls,\nFISMA requires the agency inspector general or an independent external auditor to perform\nannual reviews of the information security program and to report those results to the Office of\nManagement and Budget (OMB) and the Department of Homeland Security (DHS). DHS uses\nthis data to assist in oversight responsibilities and to prepare its annual report to Congress\nregarding agency compliance with FISMA.\n\n        We conducted the audit from April through September 2012. In addition, we performed\nthe audit in accordance with Generally Accepted Government Auditing Standards (GAGAS),\nFISMA, OMB, and National Institute of Standards and Technology Special Publication (NIST\nSP) guidance. GAGAS requires that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives.\n\n       We used the following laws, regulations, and policies to evaluate the adequacy of the\ncontrols in place at BBG:\n\n        \xe2\x80\xa2   DHS Inspector General FISMA Reporting Metrics. 2\n                                                                  3\n        \xe2\x80\xa2   OMB Memoranda M-02-01, M-04-04, M-06-19, and M-12-20.\n\n1 Pub. L. No. 107-347, tit. III, 116 Stat. 2946, (2002).\n2 DHS FY 2012 Inspector General Federal Information Security Management Act Reporting Metrics, dated Mar. 6,\n2012.\n3 OMB Memorandum M-02-01, \xe2\x80\x9cGuidance for Preparing and Submitting Security Plans of Action and Milestones,\nOct. 17, 2001; OMB Memorandum M-04-04, \xe2\x80\x9cE-Authentication Guidance for Federal Agencies,\xe2\x80\x9d Dec. 16, 2003;\nOMB Memorandum M-06-19, \xe2\x80\x9cReporting Incidents Involving Personally Identifiable Information and Incorporating\nthe Cost for Security in Agency Information Technology Investments,\xe2\x80\x9d July 12, 2006; and OMB Memorandum M-\n12-20, \xe2\x80\x9cFY 2012 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy\nManagement,\xe2\x80\x9d Oct. 2, 2012.\n                                                     18\n\n                                            UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n        \xe2\x80\xa2   BBG policies and procedures, such as the BBG Computer Security Incident\n            Management Policy.\n        \xe2\x80\xa2   Federal laws, regulations, and standards, such as FISMA and those contained\n                                                   4                            5\n            in OMB Circular No. A-130, Revised, and OMB Circular No. A-11.\n        \xe2\x80\xa2   NIST SPs, Federal Information Systems Processing Publications (FIPS), other\n            applicable NIST publications, and industry best practices.\n\n       During our audit, we assessed BBG\xe2\x80\x99s information security program policies, procedures,\nand processes in the following areas:\n\n        \xe2\x80\xa2   Continuous monitoring management\n        \xe2\x80\xa2   Configuration management\n        \xe2\x80\xa2   Identity and access management\n        \xe2\x80\xa2   Incident response and reporting\n        \xe2\x80\xa2   Risk management\n        \xe2\x80\xa2   Security training\n        \xe2\x80\xa2   Plans of action and milestones\n        \xe2\x80\xa2   Remote access management\n        \xe2\x80\xa2   Contingency planning\n        \xe2\x80\xa2   Contractor systems\n        \xe2\x80\xa2   Security capital planning\n\n       The audit covered the period October 1, 2011, to September 30, 2012. During the\nfieldwork, we took the following actions:\n\n        \xe2\x80\xa2   Determined the extent to which the BBG\xe2\x80\x99s information security plans, programs,\n            and practices complied with FISMA requirements; applicable Federal laws,\n            regulations, and standards; relevant OMB Circular No. A-130, revised; processes\n            and reporting requirements included in Appendix III; and NIST and FIPS\n            requirements.\n        \xe2\x80\xa2   Reviewed relevant security programs and practices to report on the effectiveness of\n            BBG\xe2\x80\x99s agency-wide information security program in accordance with OMB\xe2\x80\x99s annual\n            FISMA reporting instructions. The audit approach addressed the DHS FY 2012\n            Inspector General Federal Information Security Management Act Reporting Metrics,\n            dated March 6, 2012.\n        \xe2\x80\xa2   Assessed programs for monitoring of security policy and program compliance and\n            responding to security events, for example, unauthorized changes detected by\n            intrusion detection systems.\n        \xe2\x80\xa2   Performed testing of major systems at the discretion of OIG.\n\n4 OMB Circular No. A-130, rev., \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d app. III, \xe2\x80\x9cSecurity of Federal\nAutomated Information Resources,\xe2\x80\x9d Nov. 30, 2000.\n5 OMB Circular No. A-11, \xe2\x80\x9cPreparation, Submission, and Execution of the Budget,\xe2\x80\x9d Aug. 2011.\n\n                                                      19\n\n                                             UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n      \xe2\x80\xa2   Assessed the adequacy of internal controls related to the areas reviewed. Control\n          deficiencies identified during the review are included in this report.\n      \xe2\x80\xa2   Evaluated BBG\xe2\x80\x99s remedial actions taken to address the previously reported\n          information security program control weaknesses identified in OIG\xe2\x80\x99s Evaluation of\n          the Information Security Program at the Broadcasting Board of Governors\n          (AUD/IT/IB-12-15, November 2011).\n\nReview of Internal Controls\n\n   We reviewed BBG\xe2\x80\x99s internal controls to determine whether\n\n      \xe2\x80\xa2   The organization has established an enterprise-wide continuous monitoring\n          program that assesses the security state of information systems that is\n          consistent with FISMA requirements, OMB policy, and applicable NIST\n          guidelines.\n      \xe2\x80\xa2   The agency has established and is maintaining a security configuration\n          management program that is consistent with FISMA requirements, OMB\n          policy, and applicable NIST guidelines.\n      \xe2\x80\xa2   The agency has established and is maintaining an account and identity\n          management program that is generally consistent with NIST and OMB\n          FISMA requirements and identifies users and network devices.\n      \xe2\x80\xa2   The agency has established and is maintaining an incident response and\n          reporting program that is consistent with FISMA requirements, OMB policy,\n          and applicable NIST guidelines.\n      \xe2\x80\xa2   The organization has established a risk management program that is consistent\n          with FISMA requirements, OMB policy, and applicable NIST guidelines.\n      \xe2\x80\xa2   The agency has established and is maintaining a security training program that\n          is consistent with FISMA requirements, OMB policy, and applicable NIST\n          guidelines.\n      \xe2\x80\xa2   The agency has established a POA&M program that is consistent with FISMA\n          requirements, OMB policy, and applicable NIST guidelines and that tracks\n          and monitors known information security weaknesses.\n      \xe2\x80\xa2   The agency has established and is maintaining a remote access program that is\n          generally consistent with NIST and OMB FISMA requirements.\n      \xe2\x80\xa2   The agency established and is maintaining an entity-wide business\n          continuity/disaster recovery program that is generally consistent with NIST\n          and OMB FISMA requirements.\n      \xe2\x80\xa2   The organization has established a program to oversee systems operated on its\n          behalf by contractors or other entities, including organization systems and\n          services residing in the cloud external to the organization.\n      \xe2\x80\xa2   The agency has established and maintains a capital planning and investment\n          program for information security.\n\n\n                                             20\n\n                                     UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\nUse of Computer-Processed Data\n\n        During the audit, we utilized computer-processed data to obtain samples and information\nregarding the existence of information security controls. Specifically, we obtained data extracted\nfrom Microsoft\xe2\x80\x99s Windows Active Directory and BBG\xe2\x80\x99s human resources system to test user\naccount management controls. We assessed the reliability of computer-generated data primarily\nby comparing selected data with source documents. We determined that the information was\nreliable for assessing the adequacy of related information security controls.\n\n\n\n\n                                               21\n\n                                       UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n                                                                                    Appendix B\n\n    B. Followup of Recommendations From the FY 2011 Evaluation of the\n       Broadcasting Board of Governors Information Security Program\n        The audit team reviewed actions implemented by management to mitigate the findings\nidentified in the FY 2011 evaluation of BBG\xe2\x80\x99s Information Security Program. The current status\nof each of the recommendations follows:\n\nRecommendation 1. We recommend that the Chief Information Officer ensure that the selected\nsystem inventory management software tool is acquired and implemented and a process is\ndeveloped to update, not less than annually, the Broadcasting Board of Governors\xe2\x80\x99 (BBG)\nsystem inventory when changes are made to those information systems operated by or under the\ncontrol of BBG or by third-party contractors or agencies on behalf of BBG, as required by the\nNational Institute of Standards and Technology Special Publication 800-53, Revision 3.\n\nStatus: Closed from FY 2011 report; this repeat recommendation has become Recommendation\n8 (Finding H) in the FY 2012 report.\n\nRecommendation 2. We recommend that the Chief Information Officer complete the\ndevelopment and implementation of security configuration procedures and periodically assess\ncompliance with the implemented procedures, as required by the National Institute of Standards\nand Technology Special Publication 800-53, Revision 3.\n\nStatus: Closed from FY 2011 report; this repeat recommendation has become Recommendation\n1 (Finding A) in the FY 2012 report.\n\nRecommendation 3. We recommend that the Chief Information Officer develop procedures to\nensure that security controls are properly managed and maintained for all systems that access the\nBroadcasting Board of Governors network as required by the National Institute of Standards and\nTechnology Special Publication 800-53, Revision 3.\n\nStatus: Closed from FY 2011 report; this repeat recommendation has become Recommendation\n2 (Finding B) in the FY 2012 report.\n\nRecommendation 4. We recommend that the Chief Information Officer update the security\nawareness training policy requiring all new personnel to attend initial and refresher security\nawareness training and enforce consequences of noncompliance for personnel who do not\nsuccessfully complete the security awareness training, as required by the National Institute of\nStandards and Technology Special Publication 800-53, Revision 3, and the Broadcasting Board\nof Governors information security policies.\n\nStatus: Closed from FY 2011 report; this repeat recommendation has become Recommendation\n5 (Finding E) in the FY 2012 report.\n\n                                               22\n\n                                       UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\nRecommendation 5. We recommend the Chief Information Officer develop a policy requiring\nresponsible managers to review and update Plans of Action and Milestones and assess the\ntimeliness of corrective actions to determine whether additional resources may need to be\nallocated to prevent delays, as required by the Office of Management and Budget Memorandum\nM-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act\nand Agency Privacy Management, September 14, 2011.\n\nStatus: Closed. The Plans of Action and Milestones (POA&M) policy was revised in February\n2012 to require system owners to review progress toward remediating security weaknesses\nidentified in their systems and updating the POA&M accordingly. We observed minutes from\nmeetings reviewing the statuses of correction actions, the status reports provided by system\nowners, and the corresponding POA&Ms.\n\nRecommendation 6. We recommend that the Chief Information Officer implement the process\nand software tool to assess the adequacy of the security configurations of third-party devices that\nrequest access to the Broadcasting Board of Governors network and grant access only to properly\nconfigured devices, as required by the National Institute of Standards and Technology Special\nPublication 800-53, Revision 3.\n\nStatus: Closed from FY 2011 report; this repeat recommendation has become Recommendation\n7 (Finding G) in the FY 2012 report.\n\nRecommendation 7. We recommend that the Chief Information Officer establish policies and\nprocedures to restrict the use of guest, test, and shared user accounts to ensure user\naccountability in accordance with the National Institute of Standards and Technology Special\nPublication 800-53, Revision 3.\n\nStatus: Closed. We observed that policies and procedures had been updated in March 2012 to\nlimit and manage the use of guest, test, and shared user accounts. We also reviewed a sample of\nthe quarterly reports detailing the required existence of guest, test, and shared user accounts.\n\nRecommendation 8. We recommend that the Chief Information Officer establish policies and\nprocedures requiring system owners to notify account managers when information system users\nare terminated, transferred, or information system usage or need-to know/need-to-share changes\nare made, in accordance with the National Institute of Standards and Technology Special\nPublication 800-53, Revision 3.\n\nStatus: Closed from FY 2011 report; this repeat recommendation has become Recommendation\n3 (Finding C) in the FY 2012 report.\n\nRecommendation 9. We recommend that the Chief Information Officer implement procedures\nto monitor and review compliance with the password reset procedures to ensure that Help Desk\npersonnel enforce the password reset policy, which requires the requesting user to be physically\npresent to allow Help Desk personnel to verify the user\xe2\x80\x99s identity.\n\n\n                                                23\n\n                                        UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\nStatus: Closed. The password reset procedures were refined to include user identification\nmeasures, and training was provided to Help Desk personnel in May 2012. During our testing\nof the procedures, we requested a password reset. No exceptions were noted.\n\nRecommendation 10. We recommend that the Chief Information Officer develop and\nimplement policies and procedures to perform routine vulnerability assessments for all major\nsystems and general support systems, as required by the National Institute of Standards and\nTechnology Special Publication 800-53A.\n\nStatus: Closed. We observed that policies and procedures had been implemented in February\n2012 to perform monthly vulnerability assessments for all major systems and general support\nsystems. Additionally, we requested and inspected a sample of the monthly vulnerability\nassessment reports.\n\nRecommendation 11. We recommend that the Chief Information Officer ensure that the\nDirector of Disaster Recovery and Business Continuity develop and implement contingency\nplanning policies and procedures; develop contingency plans for the Broadcasting Board of\nGovernors (BBG) infrastructure (network) and its major systems; provide contingency planning\ntraining to personnel who are responsible for the recovery of the network and systems; perform\nperiodic testing of BBG\xe2\x80\x99s contingency plans; and update the plan based on lessons learned, as\nrequired by the National Institute of Standards and Technology Special Publication 800-34,\nRevision 1.\n\nStatus: Closed from FY 2011 report; this repeat recommendation has become Recommendation\n9 (Finding I) in the FY 2012 report.\n\nRecommendation 12. We recommend that the Chief Information Officer develop and\nimplement a complete and comprehensive process that meets United States-Computer\nEmergency Readiness Team\xe2\x80\x99s (US-CERT) requirements for identifying, reporting, and resolving\ncomputer security incidents in a timely manner, as required by the National Institute of Standards\nand Technology Special Publication 800-61, Revision 1, and Office of Management and Budget\nMemorandum M-07-16. Also, BBG\xe2\x80\x99s Computer Security Incident Management Policy should\nbe revised to include clear and comprehensive guidance for the identification, prioritization, and\nnotification of security incidents, both internally and to US-CERT. The security incident\nidentification and notification procedures should also specifically address the procedures for\nresponding to security incidents involving the breach of personally identifiable information\nwhether in electronic or paper format.\n\nStatus: Closed. We observed that the incident response policy had been revised in January\n2012 to include the US-CERT requirements for identifying, reporting, and resolving computer\nsecurity incidents, inclusive of security incidents involving the breach of personally identifiable\ninformation.\n\n\n\n\n                                                 24\n\n                                        UNCLASSIFIED\n\x0c                                                      UNCLASSIFIED\n\n\n                                                                                                            Appendix C\n\n                     C. Broadcasting Board of Governors Response\n\n\nBroadcasting Board ofGovernotS\n\nINTERNATIONAL BROADCASI1NG BUREAU\n\n\n\n\n                                                             JIOV -6       2012\n\n\n        Mr. Harold W. Geisel\n        Deputy Inspector General\n        Department of State\n\n\n        Dear Mr. Geisel:\n\n\n        This is in response to the e-mail from Ms. Amy Conigliaro, dated October 22, 2012, regarding\n        the Office of inspector General (OJG) draft report titled, "Audit of the Broadcasting Board of\n        Governors lnfonnation Security Program," Report Number AUD-IT-XX-XX, issued October\n        2012.\n\n\n        The Broadcasting Board of Governors (BBG) has reviewed the report and provides its comments\n        to address Recommendations I through 9 as noted on the enclosure.\n\n        We thank you for the opportunity to respond to the report. If you have any questions, please feel\n        free to contact Ms. Barbara Tripp at (202) 203-4609 or Ms. Kelu Chao, Director, IBB Office of\n        Perfonnance Review at (202) 203-4800.\n\n\n                                                       Sincerely,\n\n\n\n\n                                             \xef\xbf\xbd\n                                             U\n                                                      S&u\xef\xbf\xbd\n                                                       Richard Nl . Lobo\n                                                       Director\n\n\n        Enclosure: As Stated\n\n\n\n\n                        330 Independence Avenue. SW          Washington, DC 20237\n\n\n\n\n                                                                  25\n\n                                                      UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n\n\n                                                                                         Enclosure\n\n\n\n                            BBG\'s Response to OIG\'s Draft Rcp011\n       "Audit of the Broadcasting Board of Governors Int(wmation Secudty P\xe2\x80\xa2\xc2\xb7ognun,"\n                    Report Nwnber AUD-IT -XX-XX, Issued October 2012\n\n\n\nBBG Conmtents:\n\n\n1l1e Broadcasting Board of Governors (BBG) believes significant progress has been made over\nthe past year in complying with FISMA requirements. In light of that progress, the BBG\nrequests that the OIG consider adding the following bullet points to the management control\nimprovements listed on page one of the Executive Summary      as   follows:\n\n\n   \xe2\x80\xa2    Installed and configured an inventory management tool.\n   \xe2\x80\xa2    Developed and implemented policies and procedures for Plans of Action and Milestones\n        (POA&M).\n   \xe2\x80\xa2    Ensured adherence to password reset policies and procedures.\n   \xe2\x80\xa2    Revised the BBG Incident Response Policy to align with guidance from the National\n        Institute of Standards and Technology (NIST).\n\n\nRecommendation 1: We recommend that the Chieflnfo1mation Officer ensure that security\nconfiguration standards and procedures are completed, as required by the National Institute of\nStandards and Technology Special Publication 800-53, Revision 3.\n\n\nBBG Response (October 31,2012): BBG concu\xe2\x80\xa2\xc2\xb7s. The BBG has c1\xc2\xb7eated and filled a\nChange Manager Position within TSI\'s IT Directorate to address configuration standar\xc2\xb7ds\nand procedures. Through Iris effor1s, TSI is adopting change management policy and\nprocesses consistent with Information Technology Information Libmry standards.\nAdditionally, TSI has acquired Micr\xc2\xb7osoft\'s System Center Configuration Manager (MS\nSCCM) for configuration manag<\'ment of agency ser-vers and workstations. Configuration\nplanning for the MS SCCM implementation is currently wtdenvay with full production\nsystem utilization expected by March 31, 2013. The CIO will oversee testing of tins tool\nand the development of associated processes.\n\n\nRecommendation 2: We recommend that the Broadcasting Board ofGovemors develop and\nimplement policies to require all agency entities with systems that coi111ect to the Broadcasting\nBoard of Governors network to abide by the secttrity policies and requirements established by\nthe Broadcasting Board of Govemors Infonnation Teclmology Department and grant the Chief\nlnfonnation Officer the necessary authority to enforce consequences for noncompliance.\n\n\nBBG Response(October 31, 2012): BBG concw-s. The CIOwill att.empt to stnngthen the\nIT secUJity controls over aU Fede1-al BBG elements that connect to the BBG\'s Wide A\xe2\x80\xa2\xc2\xb7ea\nNetwor-k (WAN). These BBG Federal clements include the Intemational Broadcasting\nBureau, the Otlice of C uba ll\xe2\x80\xa2\xc2\xb7oadcasting, and the Voice of America. If full compUance\n\n\n                                                 1\n\n\n\n\n                                               26\n\n                                     UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n\ncannot be met, compensating contr\xc2\xb7ols will be put in place to ensure an acceptable Iisk level\nfor the BBG. The CIO will continue t.o assess progress.\n\n\nRecommendation 3: We recommend that the Chief Inf01mation Officer ensure that user\naccounts   are   properly configured and maintained in accordance with the Broadcasting Board of\nGovemors policies. lf the Broadcasting Board of Govemors detem1ines that exceptions to the\nimplemented policies may be necessary, the Broadcasting Board of Govemors should identify,\nassess, and document the associated risks. Ifthe Broadcasting Board of Govemors further\ndete1mines that the identified risks are acceptable, the exceptions should be documented and\na pproved by infonnation teclmo logy management.\n\n\nBBG Response(October 31, 2012): BBG concm-s. The CIOwill review and strengthen IT\nprocesses t.hat manage use\xe2\x80\xa2\xc2\xb7 accounts. The HBG st\xe2\x80\xa2\xc2\xb7ongly believes that the account\nirregularities the OIG obsen,ed \xe2\x80\xa2\xc2\xb7esulted from tempo.-ary tmnsition issues caused by\nmigration of agency mail accow1ts and VPN token vendors. The BBG expects to be i n full\ncompliance ofthjs recommendation by .January 31,2013.\n\n\nRecmmnendation 4: We recommend that the Chief Inf()Jmation Officer ensure that procedures,\nas stated within the Broadcasting Board of Govemors Computer Security incident Management\nPolicy, are followed to ensure that security incidents are properly reported, as required by the\nUnited States Computer Emergency Readiness Team\'s Federal Incident Reporting Guidelines.\n\n\nBBG Response(October 31,2012): BBG concm-s. The CIO has taken steps to implement\nthis policy immediately.\n\n\nRecmmnendation 5: We recommend that the Chief Inf01mation Officer develop and implement\na fonnal sanction process for personnel who do not successfully complete the security awareness\ntraining, as required by the National Institute of Standards and Technology Special Publication\n800-53, Revision 3.\n\n\nBBG Response (October 31,2012): BBG concm-s. The CIO and BBG\'s leadei-ship team\nhave taken steps to implement sbict discipline measures effective tllis year with the cul\'l\'ent\ncycle of the IT secuiity awareness training. On October 31, 2012, the security awareness\ntraiJling deadline, TSI\'s IT DiJ\xc2\xb7ectorate notified all BBG usei"S and their diJ\xc2\xb7ect supervisOI"S\nthat IT is prepared to disable their computer\xc2\xb7 accounts if employees fail to complete the\nrequired traming by November 2, 2012. The BBG provided the extension in light of\npotential hanlsllips created by Hurricane Sandy. BBG\'s current compliance rate is 92%\nversus 25% in 2011.\n\n\nPlease also note that senior management has been apprised of the email message sent to\nimpacted employees.\n\n\nRecommendation 6: We recommend the Chief lnfonnation Ofticer ensure that the\nBroadcasting Board ofGovemors Plans of Actions and Milestones program is developed in\naccordance with its policy, whjch requires the Broadcasting Board ofGovemors Plans of Action\n\n\n\n                                                  2\n\n\n\n\n                                                 27\n\n                                       UNCLASSIFIED\n\x0c                                         UNCLASSIFIED\n\n\n\n\nand Milestones to include the data elements found in Office of Management and Budget\nMemorandum M-02-01.\n\n\nBBG Response(October 31, 2012): BBG concm\'S. The CIOwill expand on the data\nelements contained in the POA&M tracking sheet as etl(wts continue to mature int.ernal IT\nproject governance. The March 2013 quarterly cycle of POA&M tr\xc2\xb7acking sheets will\nreflect this improvement.\n\n\nRecommendation 7: We recommend that the Chief l nfonnation Officer implement procedures\nto assess the adequacy of the security c onfigurations of third party devices that request access to\n                                                                  -\n\n\n\n\nthe Broadcasting Board ofGovemors network and grant access o nl y to pro perly configured\ndevices,   as   required by the Nationallnstitute of Standards and Teclmology Special Publication\n800-53, Revision 3.\n\n\nBBG Response(October 31, 2012): BBG concm\'S. The CIOwill develop the process and\ninitiate planning and testing ofthe tool p\xe2\x80\xa2\xc2\xb7ocu\xe2\x80\xa2\xc2\xb7ed to assess the adequacy ofthe securit:y\nconfigurations oftltil\xc2\xb7d-part.y devices that \xe2\x80\xa2\xc2\xb7equest access (generally tlu\xc2\xb7ough a Virtual\nPrivate Network [ V PN]) to the BUG network. The CIO will grant access only to those\nwhose configm-ations are deemed suflicient by Ma1\xc2\xb7ch 31, 2013.\n\n\nRecmmnendation 8: We recommend that the Chief Inf01mation Oft\'icer ensure that the\nlnfom1ation Teclmology Director create and impleme nt a standardized process to collect\ninf01mation used to develop and subsequently update the Broadcasting Board of Governors\nsystem inventory, and update the general supp01t system\'s security phm control for Information\nSystem Component Inventory (CM-8), specifically the organizationally defined frequency of\ninventory assessments,     as   required by tl1e National Institute of Standards and Teclmology Special\nPublication 800-53, Revision 3.\n\n\nBBG Response(October 31, 2012): BBG concm\'S. The BBG has acquired an n\n                                                                     i ventory\nmanagement software tool and is c un\xc2\xb7ently establishing internal tracking processes.\nSignificant progress has been made, but full implementation is not expected mttil Marrh\n31, 2013. The CIO will continue to oversee this effort.\n\n\nRecmmnendation 9: We recommend that the Chief Information Officer ensure that the Director\nof Disaster Recovery and Business Continuity develop and implement contingency planning\npolicies and procedures, develop contingen cy plans for the Broadcasting Board of Govemors\ninfrastmcture (network) and its major systems, provide contingency plarming training to\npersonnel who are responsible for the recovery of the network ar1d systems, perform periodic\ntesting ofthe Broadcasting Board ofGovemors contingency plans, and update the plan based on\nlessons learned, as required by the National Institute of Standards and Teclmology Special\nPublication 800-34, Revision 1.\n\n\nBBG Response(October 31, 2012): BBG concm\'S. The BBG agrees t.o further develop\ncontingency plans and inc\xe2\x80\xa2\xc2\xb7ease im\xe2\x80\xa2estments in oflsite systems to be used for business\ncontinuity. To support and lead tllis effmi, the CIO is attempting to fill a Disaster\nRecovery and Uusiness Continuity Manager position. If full complia.nce rannot be met,\n\n\n                                                     3\n\n\n\n\n                                                    28\n\n                                         UNCLASSIFIED\n\x0c                                   UNCLASSIFIED\n\n\n\n\ncompensating contr\xc2\xb7ols will be put in place to eJlSUI"C an acceptable 1isk level for BBG. The\nCIO will continue t.o assess progress.\n\n\n\n\n                                              4\n\n\n\n\n                                             29\n\n                                   UNCLASSIFIED\n\x0c'